Download tracking via CF Analytics Engine

vdavid · vdavid · commit ef0f04944ad4 · 2026-03-04T22:19:25.000+01:00
- License server: `GET /download/:version/:arch` logs version, arch, country, continent to Analytics Engine, then 302s to GitHub Releases
- Website: `release.ts` routes downloads through `PUBLIC_DOWNLOAD_BASE_URL` when set, falls back to direct GitHub links
- Docs: updated `CLAUDE.md`, `infrastructure.md`, `deploy-website.md`
- Also updated all license server NPM packages to latest
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -131,6 +131,21 @@ Or add it via CLI like:
 Since the agent shares the context with your IDE/client, enabling the MCP server makes the tools available to the agent
 automatically.
 
+## Cloudflare access (license server)
+
+The license server is a Cloudflare Worker. To deploy it or run `wrangler` commands, you need a Cloudflare API token.
+
+1. Go to https://dash.cloudflare.com/profile/api-tokens → **Create Token** → **Custom token**
+2. Permissions: `Account / Workers Scripts / Edit`, `Account / Analytics Engine / Read`
+3. Account resources: the Cmdr account only
+4. Add to `~/.zshenv` (sourced for all shells, including non-interactive agent sessions):
+   ```sh
+   export CLOUDFLARE_API_TOKEN="your-token"
+   ```
+5. Restart your shell or `source ~/.zshenv`
+
+Wrangler picks up `CLOUDFLARE_API_TOKEN` automatically — no `wrangler login` needed.
+
 ## Infrastructure access (maintainers)
 
 If you have SSH access to the production server (`ssh hetzner`) and credentials for services like Umami, Cloudflare,
diff --git a/apps/license-server/CLAUDE.md b/apps/license-server/CLAUDE.md
@@ -18,13 +18,14 @@ license keys, stores short activation codes in KV, and emails keys via Resend.
 
 ## Routes
 
-| Method | Path              | Auth         | Purpose                                            |
-| ------ | ----------------- | ------------ | -------------------------------------------------- |
-| GET    | `/`               | —            | Health check                                       |
-| POST   | `/webhook/paddle` | HMAC sig     | Purchase completed → generate & email key(s)       |
-| POST   | `/activate`       | —            | Exchange short code → full cryptographic key       |
-| POST   | `/validate`       | —            | Check subscription status via Paddle API           |
-| POST   | `/admin/generate` | Bearer token | Manual key generation (customer service / testing) |
+| Method | Path                       | Auth         | Purpose                                            |
+| ------ | -------------------------- | ------------ | -------------------------------------------------- |
+| GET    | `/`                        | —            | Health check                                       |
+| POST   | `/webhook/paddle`          | HMAC sig     | Purchase completed → generate & email key(s)       |
+| POST   | `/activate`                | —            | Exchange short code → full cryptographic key       |
+| POST   | `/validate`                | —            | Check subscription status via Paddle API           |
+| POST   | `/admin/generate`          | Bearer token | Manual key generation (customer service / testing) |
+| GET    | `/download/:version/:arch` | —            | Log download to Analytics Engine, 302 → GitHub     |
 
 ## Data flow
 
@@ -39,6 +40,8 @@ Paddle webhook → HMAC verify (live + sandbox secrets)
 App activation: POST /activate → KV.get(shortCode) → return fullKey
 
 Subscription validation: POST /validate → Paddle API transactions + subscriptions
+
+Download redirect: GET /download/:version/:arch → log to Analytics Engine → 302 to GitHub Releases
 ```
 
 ## Key patterns
@@ -63,6 +66,10 @@ Cloudflare secrets (`wrangler secret put`), never in `wrangler.toml`.
 **No database:** All state lives in Cloudflare KV. Short codes never expire (perpetual licenses last forever);
 subscription validity is checked live via Paddle API.
 
+**Download tracking:** Uses Cloudflare Analytics Engine (binding: `DOWNLOADS`, dataset: `cmdr_downloads`).
+`writeDataPoint` is fire-and-forget. Data schema: indexes=[version], blobs=[version, arch, country, continent],
+doubles=[1]. Query via CF Analytics Engine SQL API.
+
 ## Dependencies
 
 Runtime: `hono`, `@noble/ed25519`, `resend` Dev: `wrangler`, `vitest`, `typescript`, `eslint`, `prettier`
diff --git a/apps/license-server/README.md b/apps/license-server/README.md
@@ -46,7 +46,7 @@ them to customers via Resend.
     URL `https://cmdr-license-server.veszelovszki.workers.dev/webhook/paddle`, and tick event `transaction.completed`.
 11. Paddle (sandbox): Click "..." → Edit destination → copy "Secret key". (Looks like `pdl_ntfset_01keh5q...`)
 12. TODO: Paddle live!
-13. Cloudflare: (first time only) `npx wrangler login` to log in to Cloudflare.
+13. Cloudflare: Set `CLOUDFLARE_API_TOKEN` in `~/.zshenv` (see [CONTRIBUTING.md](../../CONTRIBUTING.md#cloudflare-access-license-server) for how to create one). Alternatively, run `npx wrangler login` for browser-based OAuth (interactive only, won't work for agents).
 14. Cloudflare: Set secrets (supports both live and sandbox simultaneously):
     - `npx wrangler secret put PADDLE_WEBHOOK_SECRET_SANDBOX` - From sandbox webhook (step 11)
     - `npx wrangler secret put PADDLE_WEBHOOK_SECRET_LIVE` - From live webhook (once approved)
@@ -104,12 +104,14 @@ Then open http://localhost:3333 and click "Buy Cmdr".
 
 ## Endpoints
 
-| Method | Path              | Description                                        |
-| ------ | ----------------- | -------------------------------------------------- |
-| `GET`  | `/`               | Health check                                       |
-| `POST` | `/webhook/paddle` | Paddle webhook (generates and emails license)      |
-| `POST` | `/validate`       | Validate license key (returns subscription status) |
-| `POST` | `/admin/generate` | Manual license generation (requires auth header)   |
+| Method | Path                       | Description                                        |
+| ------ | -------------------------- | -------------------------------------------------- |
+| `GET`  | `/`                        | Health check                                       |
+| `POST` | `/webhook/paddle`          | Paddle webhook (generates and emails license)      |
+| `POST` | `/activate`                | Exchange short code for full cryptographic key      |
+| `POST` | `/validate`                | Validate license key (returns subscription status) |
+| `POST` | `/admin/generate`          | Manual license generation (requires auth header)   |
+| `GET`  | `/download/:version/:arch` | Log download to Analytics Engine, 302 → GitHub     |
 
 ## Architecture decisions
 
diff --git a/apps/license-server/package.json b/apps/license-server/package.json
@@ -20,20 +20,20 @@
     },
     "dependencies": {
         "@noble/ed25519": "^3.0.0",
-        "hono": "^4.12.2",
-        "resend": "^6.6.0"
+        "hono": "^4.12.5",
+        "resend": "^6.9.3"
     },
     "devDependencies": {
-        "@cloudflare/workers-types": "^4.20260131.0",
-        "@eslint/js": "^9.39.2",
-        "eslint": "^9.39.2",
+        "@cloudflare/workers-types": "^4.20260301.1",
+        "@eslint/js": "^10.0.1",
+        "eslint": "^10.0.2",
         "eslint-config-prettier": "^10.1.8",
-        "eslint-plugin-prettier": "^5.5.4",
-        "globals": "^17.0.0",
-        "prettier": "^3.7.4",
+        "eslint-plugin-prettier": "^5.5.5",
+        "globals": "^17.4.0",
+        "prettier": "^3.8.1",
         "typescript": "^5.9.3",
-        "typescript-eslint": "^8.52.0",
-        "vitest": "^4.0.16",
-        "wrangler": "^4.61.1"
+        "typescript-eslint": "^8.56.1",
+        "vitest": "^4.0.18",
+        "wrangler": "^4.70.0"
     }
 }
diff --git a/apps/license-server/src/index.ts b/apps/license-server/src/index.ts
@@ -13,6 +13,8 @@ import {
 type Bindings = {
     // KV namespace for license code -> full key mappings
     LICENSE_CODES: KVNamespace
+    // Analytics Engine for download tracking
+    DOWNLOADS: AnalyticsEngineDataset
     // Paddle webhook secrets (both optional to support gradual rollout)
     PADDLE_WEBHOOK_SECRET_LIVE?: string
     PADDLE_WEBHOOK_SECRET_SANDBOX?: string
@@ -434,4 +436,29 @@ app.post('/admin/generate', async (c) => {
     return c.json({ code: shortCode, type, organizationName: organizationName ?? null })
 })
 
+// Download redirect — tracks version, arch, and country, then redirects to GitHub Releases
+const validArchitectures = new Set(['aarch64', 'x86_64', 'universal'])
+const versionPattern = /^\d+\.\d+\.\d+$/
+
+app.get('/download/:version/:arch', (c) => {
+    const { version, arch } = c.req.param()
+
+    if (!versionPattern.test(version) || !validArchitectures.has(arch)) {
+        return c.json({ error: 'Invalid version or architecture' }, 400)
+    }
+
+    const cf = c.req.raw.cf as { country?: string; continent?: string } | undefined
+    const country = cf?.country ?? 'unknown'
+    const continent = cf?.continent ?? 'unknown'
+
+    // Fire-and-forget — writeDataPoint is non-blocking
+    c.env.DOWNLOADS.writeDataPoint({
+        indexes: [version],
+        blobs: [version, arch, country, continent],
+        doubles: [1],
+    })
+
+    return c.redirect(`https://github.com/vdavid/cmdr/releases/download/v${version}/Cmdr_${version}_${arch}.dmg`, 302)
+})
+
 export default app
diff --git a/apps/license-server/wrangler.toml b/apps/license-server/wrangler.toml
@@ -9,6 +9,11 @@ compatibility_date = "2025-01-01"
 binding = "LICENSE_CODES"
 id = "64418f5cb33e4c629fe0ccf51be76399"
 
+# Analytics Engine for download tracking (created automatically on first write)
+[[analytics_engine_datasets]]
+binding = "DOWNLOADS"
+dataset = "cmdr_downloads"
+
 [vars]
 # Non-secret config
 PRODUCT_NAME = "Cmdr"
diff --git a/apps/website/.env.example b/apps/website/.env.example
@@ -16,6 +16,12 @@ PUBLIC_PADDLE_ENVIRONMENT=sandbox
 # Get the list UUID from the Listmonk admin UI: Lists > your list > Settings
 PUBLIC_LISTMONK_LIST_UUID=
 
+# Download tracking redirect
+# Routes downloads through the license server for server-side analytics.
+# Production: https://license.getcmdr.com — downloads become /download/{version}/{arch}
+# Leave empty to link directly to GitHub Releases (useful for dev).
+PUBLIC_DOWNLOAD_BASE_URL=
+
 # Umami analytics (self-hosted, cookieless)
 # Leave PUBLIC_UMAMI_WEBSITE_ID empty to disable tracking (for example, in dev env)
 PUBLIC_UMAMI_HOST=https://your-umami-instance.example.com
diff --git a/apps/website/src/lib/release.ts b/apps/website/src/lib/release.ts
@@ -2,16 +2,19 @@ import latestRelease from '../../public/latest.json'
 
 export const version = latestRelease.version
 
-const base = `https://github.com/vdavid/cmdr/releases/download/v${version}`
+const downloadBase = import.meta.env.PUBLIC_DOWNLOAD_BASE_URL
+const githubBase = `https://github.com/vdavid/cmdr/releases/download/v${version}`
 
-export const dmgUrls = {
-    aarch64: `${base}/Cmdr_${version}_aarch64.dmg`,
-    x86_64: `${base}/Cmdr_${version}_x86_64.dmg`,
-    universal: `${base}/Cmdr_${version}_universal.dmg`,
+function dmgUrl(arch: string): string {
+    if (downloadBase) return `${downloadBase}/download/${version}/${arch}`
+    return `${githubBase}/Cmdr_${version}_${arch}.dmg`
 }
 
-/** @deprecated Use dmgUrls instead */
-export const dmgUrl = dmgUrls.universal
+export const dmgUrls = {
+    aarch64: dmgUrl('aarch64'),
+    x86_64: dmgUrl('x86_64'),
+    universal: dmgUrl('universal'),
+}
 
 function formatBytes(bytes: number): string {
     return `${Math.round(bytes / (1024 * 1024))} MB`
diff --git a/docs/guides/deploy-website.md b/docs/guides/deploy-website.md
@@ -158,6 +158,7 @@ Set the following (get values from the relevant dashboards):
 | `PUBLIC_LISTMONK_LIST_UUID` | Listmonk admin > Lists > your list > Settings |
 | `PUBLIC_UMAMI_HOST` | Your Umami instance URL (for example, `https://analytics.example.com`) |
 | `PUBLIC_UMAMI_WEBSITE_ID` | Umami > Settings > Websites > getcmdr.com > ID |
+| `PUBLIC_DOWNLOAD_BASE_URL` | `https://license.getcmdr.com` — routes downloads through the license server for analytics. Leave empty to link directly to GitHub. |
 
 ### 9. Set up Docker network and do initial deploy
 
diff --git a/docs/specs/analytics-plan.md b/docs/specs/analytics-plan.md
@@ -194,15 +194,18 @@ implementing the above:
 - [x] Add download event tracking to `Download.astro`
 - [x] Add env vars to `.env.example` and deployment config
 - [x] Set `PUBLIC_UMAMI_HOST` and `PUBLIC_UMAMI_WEBSITE_ID` in production deployment env
-- [ ] Verify data flows in Umami dashboard
+- [x] Verify data flows in Umami dashboard
 
 ### Milestone 2: Download tracking (CF Worker)
-- [ ] Decide: new route in license server vs separate Worker
-- [ ] Enable Analytics Engine in `wrangler.toml`
-- [ ] Implement `/download/:version/:arch` redirect endpoint
-- [ ] Update website download links to use the redirect
-- [ ] Update release workflow if `latest.json` needs changes
-- [ ] Test end-to-end: download via redirect, verify event logged
+- [x] Decide: new route in license server (avoids another deployment target)
+- [x] Enable Analytics Engine in `wrangler.toml` (binding: `DOWNLOADS`, dataset: `cmdr_downloads`)
+- [x] Implement `/download/:version/:arch` redirect endpoint in `index.ts`
+- [x] Update website `release.ts` to use redirect when `PUBLIC_DOWNLOAD_BASE_URL` is set
+- [x] Update `.env.example` with `PUBLIC_DOWNLOAD_BASE_URL`
+- [x] Update license server `CLAUDE.md` with new route and Analytics Engine docs
+- [x] Set `PUBLIC_DOWNLOAD_BASE_URL` in website production env
+- [x] Deploy license server: `cd apps/license-server && pnpm cf:deploy`
+- [ ] Test end-to-end: download via redirect, verify event logged in Analytics Engine
 
 ### Milestone 3: In-app analytics (PostHog)
 - [ ] Create PostHog project, get API key
diff --git a/docs/tooling/infrastructure.md b/docs/tooling/infrastructure.md
@@ -95,13 +95,59 @@ curl -s "${UMAMI_API_URL}/api/websites/5ea041ae-b99d-4c31-b031-89c4a0005456/stat
   -H "Authorization: Bearer $TOKEN" | jq '.'
 ```
 
+**Query events directly in the DB** (useful when the API shows zero but you need to verify):
+
+```bash
+ssh hetzner "docker exec umami-db psql -U umami -d umami -c \
+  \"SELECT created_at, url_path FROM website_event \
+   WHERE website_id = '5ea041ae-b99d-4c31-b031-89c4a0005456' \
+   ORDER BY created_at DESC LIMIT 10;\""
+```
+
 **Full API docs**: https://umami.is/docs/api
 
+### Troubleshooting
+
+If events aren't recording:
+
+1. **Check CSP headers**: The nginx CSP in `apps/website/nginx.conf` must allow `anal.veszelovszki.com` in both
+   `script-src` (loads the script) and `connect-src` (sends events). Run
+   `curl -sI https://getcmdr.com | grep content-security-policy` to verify.
+2. **Check the Umami container**: `ssh hetzner "docker logs --tail 20 umami"`. The "Failed to find Server Action"
+   errors are harmless (Next.js UI cache mismatch). Look for DB connection errors.
+3. **Check the DB directly**: Use the psql query above. If the API returns zero but the DB has rows, it's a time
+   range or timezone issue in the API query.
+4. **Bot filtering**: Umami silently drops events with minimal `User-Agent` strings. Real browsers work fine. A
+   `curl` test needs a full browser-like UA to be recorded.
+
+## Download tracking (Cloudflare Analytics Engine)
+
+The license server has a `GET /download/:version/:arch` endpoint that logs downloads to Cloudflare Analytics Engine
+(dataset: `cmdr_downloads`) and 302-redirects to the GitHub Releases .dmg. The website routes download links through
+this endpoint when `PUBLIC_DOWNLOAD_BASE_URL` is set.
+
+**Data schema**: indexes=[version], blobs=[version, arch, country, continent], doubles=[1].
+
+**Query downloads** via the [CF Analytics Engine SQL API](https://developers.cloudflare.com/analytics/analytics-engine/sql-api/).
+Create an API token with `Account Analytics Read` permission, then:
+
+```bash
+curl -s "https://api.cloudflare.com/client/v4/accounts/{account_id}/analytics_engine/sql" \
+  -H "Authorization: Bearer {api_token}" \
+  -d "SELECT blob1 AS version, blob2 AS arch, blob3 AS country, SUM(_sample_interval) AS downloads
+      FROM cmdr_downloads
+      WHERE timestamp > NOW() - INTERVAL '30' DAY
+      GROUP BY version, arch, country
+      ORDER BY downloads DESC"
+```
+
+The dataset is created automatically on the first write — no setup needed beyond deploying the license server.
+
 ## Other services
 
 | Service | Where | Access | Docs |
 | --- | --- | --- | --- |
-| **Cloudflare** (DNS, Workers) | cloudflare.com dashboard | Login required | [License server README](../../apps/license-server/README.md) |
+| **Cloudflare** (DNS, Workers) | cloudflare.com dashboard | `CLOUDFLARE_API_TOKEN` in `~/.zshenv` (see [CONTRIBUTING.md](../../CONTRIBUTING.md#cloudflare-access-license-server)) | [License server README](../../apps/license-server/README.md) |
 | **Paddle** (payments) | vendors.paddle.com | Login required | — |
 | **UptimeRobot** (monitoring) | uptimerobot.com | Login required | [monitoring.md](monitoring.md) (alerts, status page) |
 | **Resend** (email) | resend.com | Login required | [Listmonk README](../../infra/listmonk/README.md) |
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
